Quantcast
Channel: Security forum
Viewing all 12072 articles
Browse latest View live

Can't find Certificate

July 28, 2015, 12:49 pm
$
0
0

Hi- Windows Server 2012 R2 Data Center. It's a DC and the hardware is HP Proliant... I have their management software installed (local web portal). When I access the web site I get an error saying "The CA Root certificate is not trusted. To enable trust install this certificate in the Trusted Root Certification Authorities store."

I loaded the certificates snap-in and looked through every store, but can't find the certificate to which it refers. Where the heck is it? How can I find it?

Thanx

You should never, never doubt what nobody is sure about. -Willy Wonka

Search

deleting an old adm acct

December 14, 2018, 9:59 pm
$
0
0
I have a HP 255 G6 Notebook running Win 10 Home Edition. I purchased it from a local pawn shop and they had made the pawn shop the administrator. I made an administrator acct for myself but nothing I have tried will successfully delete the old pawn shop acct. It no longer show up in the user acct as an administrator but it still in task manager and Windows Powershell, is it possible to delete this acct?

Server 2012 Enterprise Root CA in a cluster?

December 20, 2012, 1:41 pm
$
0
0

I am wondering if it supported to install an Enterprise Root CA as a clustered service in Server 2012. All the documentation I can find only deals with Subordinate Authorities, not the Root CA.

Plus, the Microsoft documentation mentions that the CA only supports a 2 node cluster? If I have a 3 node cluster does that mean when trying to import the certificates onto the 3rd node things will fail? I understand that the role can only be active / passive, but why cant you have multiple passive nodes?

Certificate Authority Transfer

October 5, 2018, 9:55 am
$
0
0

Currently, I have the ADCS role on my 2012 server.  I would like to move all roles to my 3 new 2016 servers. I have moved FSMO roles and only have one thing left that my 2012 server is doing, which is ADCS. 

I was going through https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn486797(v=ws.11) but this says to choose the root ca > all tasks > backup and I did not see that option. 

I have a few screenshots of what my Certification Authority looks like; only two folders have contents in the snap in. 

https://1drv.ms/f/s!Ap-oFmKTDirLgRKYX8kqRLrCnADJ

For reference, DC2 is the 2012 server, Peach, Toad and Waluigi are the new 2016 servers. I would like to install the ADCS role on Waluigi and have that server take it over

Is it possible to retain the same Challenge Password for MSCEP when you migrate a CA?

October 16, 2018, 5:42 am
$
0
0

Hi,

I am looking to migrate my CA from a Server 2008 R2 VM to a Server 2012 R2 VM.

I have found a procedure to do this on the MS site which I have tested and am happy with apart from one detail.

Migrating the CA is straight-forward, but because I then have to install NDES separately, the enrollment challenge password changes.

This makes sense to me really, it's a new install so it stands to reason that a new PW would be generated.

I'm just wondering if there is a way round this so my new server uses the same PW as the old one?

We have a lot of devices that use this challenge PW to acquire certificates, it would be nifty if this password stayed the same.

I'm pretty confident the answer is no, but worth an ask anyway.

Change the CA certificate of the subordinate CA.

October 10, 2018, 10:15 am
$
0
0
Hello,

We just changed certificate authority on a linux, the problem is that our domain controller on windows server 2012 is the subordinate CA.

What we want to do is change the CA of our subordinate CA and then renew the CA subordinate with the new CA.

We tried to import the new CA by going to "Certificate Authority (Local)" -> "All Tasks" -> "Install Certificate Authority Certificate".
But he tells us that the certificate does not match the old CA (which is normal considering that we want to put a new one and not just renew it)

We also tried to generate a new certificate from our subordinate, to do this we go to "certificate authority (local)" -> "All tasks" -> "Renew certificate authority certificate"
We have reclaimed the .req on our new certification authority, then we generated a certificate, from this step we do not know where to import it.

Thank you in advance for your help.

Excessive logging on web server

December 18, 2018, 12:30 pm
$
0
0

Today I noticed MANY event id 4624, 4634 and 4672 in our Windows Logs - Security Log when I open pages from a web site solution in Visual Studio 2017 on workstations.  It is generating thousands of these log entries every minute.  I have even tried this when I am the only logged in user on the server.

1. There was no RDP to the server when the excess security logging was happening and I have tried this on a different workstation with VS 2017 and the same thing happens. The solution opens an asp.net website located on the server and if I close the solution the event entries stop.

2. I watched the task manager on the server and it showed a high volume of disk activity as soon as I opened the Visual Studio project that was opening a web site on the server.  The disk activity went way down as soon as I closed the VS project.  I tried this same website in Visual Studio on another PC and it did the same thing.

3. Below is a sample of the 4624 events that are being created at extremely high volume (3,000/minute) until I close the project.

An account was successfully logged on.

Subject:
	Security ID:		NULL SID
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Information:
	Logon Type:		3
	Restricted Admin Mode:	-
	Virtual Account:		No
	Elevated Token:		Yes

Impersonation Level:		Impersonation

New Logon:
	Security ID:		SYSTEM
	Account Name:		LIFEDEV2012$
	Account Domain:		DEVDOMAIN.LIFETIMEINC.COM
	Logon ID:		0x2AE8B48
	Linked Logon ID:		0x0
	Network Account Name:	-
	Network Account Domain:	-
	Logon GUID:		{d0ee44fd-bf09-2a46-d015-2c5191e3f823}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	-
	Source Network Address:	fe80::5efe:169.254.148.196
	Source Port:		57478

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

We have Windows Server 2016.  How can I stop this activity?

ADCS Enterprise CA - Creating certificates with custom extensions

January 2, 2019, 11:35 am
$
0
0

We have a need to issue leaf certificates from our enterprise issuing CA which contain a custom extension.  I was able to generate a certificate request that contains the custom extension using OpenSSL.  Here is the section from OpenSSL.cnf which enabled this:

[v3_req]
0.4.0.19495.1=critical,ASN1:UTF8String:0.4.0.19495.1.2

Once the certificate request is created, I can verify that the custom extension was processed (i have no idea whether this is how itshould look):

>certutil c:\temp\eIDAS_PISP2.csr

Certificate Extensions: 1
    0.4.0.19495.1: Flags = 1(Critical), Length = 11
    Unknown Extension type

    0000  0c 0f 30 2e 34 2e 30 2e  31 39 34 39 35 2e 31 2e   ..0.4.0.19495.1.
    0010  32                                                 2
0000: 0c 0f                                     ; UTF8_STRING (f Bytes)
0002:    30 2e 34 2e 30 2e 31 39  34 39 35 2e 31 2e 32     ; 0.4.0.19495.1.2
            ; "0.4.0.19495.1.2"

I am, in turn able to have our CA sign the request, however, the CA response does not include this extension.  I am assuming that ADCS is either ignoring or outright blocking this portion of the CSR from being considered.

Am  I going about this the right way?  It doesn't look as if I can create an ADCS certificate template which automatically includes a given extension (I can only add attributes to default extensions).  Is there a ADCS CA server configuration that needs to be made in order for the extension to be included in the CA response?

Search

CA migration

January 2, 2019, 11:57 am
$
0
0

Hi there,

We have a Windows 2008 Root CA and separate Windows 2008 Intermediary CA.  I would like to upgrade the CAs to 2016 but have not worked a lot with Intermediary CAs before.

Previously I have migrated a 2008 R2 CA cluster to a stand alone box (datacenter move) and I'm fairly comfortable with the Root CA portion of the migration.  I'm just not positive what I should do with the Intermediary, not to mention the order.  Do I do the Intermediary first then the Root, the opposite, or take both down at the same time?

To throw a wrinkle into the mix we have *sigh* a few Windows 2003 machines that are running mission critical apps at the moment.  From this article (https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/) there's a warning about 2003 and XP machines not being able to get certs if the CA is configured to give out SHA256 certs.  At the moment ours are and the 2003 machines are getting SHA1 certs...so I have no idea how this is working or if it's something I should even be concerned about.

Any help you can provide would be appreciate.

Marissa

How to fix error Kerberos pre-authentication failed ?

December 29, 2017, 12:02 am
$
0
0

Hi everyone,

Nearly, I have problem with user domain. They are frequently locked out the account. I checked the Event Viewer in domain and saw the code error 4771 and notice : Kerberos pre-authentication failed.

My company use window server 2012 R2 and Windows 10. Currently, We have 40 users and 5 users are encountering this error.

Please help me resolve it.  Thanks

Multiple SMB login failure from windows 10 machine towards the File server using local user account as well as computer accounts

October 19, 2018, 5:54 pm
$
0
0

I have observed Multiple SMB login failure events from a windows machine.

We have two scenarios in our environment. 

1. Authentication using Computer Account name

2. Authentication using local user accounts on File Server

I'll explain you what are the checks I have did so far

* Initially we have observed multiple login failure events. In the login failure events, it is showing username as computer account or local user account

* Then we tried capturing traffic using wireshark, In that I can see SMBv2 protocol andNTLMSSP_AUTH is happening using computer or local account. Also I can see response to the authentication as NT Status: STATUS_LOGON_FAILURE (0xc000006d)).

*Then I ran netstat -ao | findstr 445 to find the process that is making connection to destination IP. I found that the process as System - Process ID 4

*Then I have cleared the credential manager as well

*Also I have checked SMB Client Service (workstation - Lanman workstation) and checked log on as There Network Service is selected.

Can someone help to identity where exactly the configuration is made ?? So that I can change it and event count will get stopped.

Please help me to identify and stop the events.

Also I have checked all the schedule tasks, batches and scripts running on the source machine. Nothing is configured to use the local user account  or computer account.

Query disabled accounts in a particular security group

March 26, 2012, 7:41 am
$
0
0

Hi Team,

We need to Query to list disabled accounts in a particular security group in Windows Server 2008 R2 domain and pipe it out to any kind of document.

Could you please suggest any command line tools with the syntax..

Thanks!

You don't have administrator privileges on the server

September 1, 2015, 12:26 am
$
0
0

While creating failover cluster on Windows 2012 R2 server and getting error "you don't have administrator privileges on the server"I have tried :

1) Rejoining machine to domain

2) Installed all windows update on machine and domain 

Still the issue is there.. 

Please help as early as possible.. 

thanks in adv 

Nilesh Savant

Event ID for Windows License Expires.

January 4, 2019, 1:19 am
$
0
0

Hi,

I am in the process of setting up a SCOM alert to capture Windows License expires. What is the event log ID for Windows Server License expire? 

BR,

Pesala

Event ID 4740 A user account was locked out every 30-60min

September 11, 2017, 12:52 am
$
0
0

Hi,

I have found guest account was locked out every 30-60min. They are no any failed logon activity or logon success and this account was disable from AD. I need to know what happen to my server. It is a security risk?

Information : Policy account lockout duration 30 min

Policy account lockout threshold 5 time

Policy reset account lockout counter after 30 min

Event information

192.168.100.213||Security||71874200||Microsoft-Windows-Security-Auditing||4740||62||1505100809||4||SFTP01.dc.abc.local||||User Account Management||7||guest||||S-1-5-21-482707596-1509531872-1928891951-501||S-1-5-18||SFTP01$||DC||0x3e7||A user account was locked out.
Subject:
 Security ID:  S-1-5-18
 Account Name:  SFTP01$
 Account Domain:  DC
 Logon ID:  0x3E7
Account That Was Locked Out:
 Security ID:  S-1-5-21-482707596-1509531872-1928891951-501
 Account Name:  guest
Additional Information:

 Caller Computer Name: 

Time of guest account is locked out.

9/11/2017 14:19 9/11/2017 14:19 1 25 43-263047400 A user account was locked out.
9/11/2017 13:46 9/11/2017 13:46 1 25 43-263047400 A user account was locked out.
9/11/2017 12:54 9/11/2017 12:54 1 25 43-263047400 A user account was locked out.
9/11/2017 12:07 9/11/2017 12:07 1 25 43-263047400 A user account was locked out.
9/11/2017 11:26 9/11/2017 11:26 1 25 43-263047400 A user account was locked out.
9/11/2017 10:33 9/11/2017 10:33 1 25 43-263047400 A user account was locked out.
9/11/2017 9:46 9/11/2017 9:46 1 25 43-263047400 A user account was locked out.
9/11/2017 9:05 9/11/2017 9:05 1 25 43-263047400 A user account was locked out.
9/11/2017 8:12 9/11/2017 8:12 1 25 43-263047400 A user account was locked out.
9/11/2017 7:25 9/11/2017 7:25 1 25 43-263047400 A user account was locked out.
9/11/2017 6:44 9/11/2017 6:44 1 25 43-263047400 A user account was locked out.
9/11/2017 5:52 9/11/2017 5:52 1 25 43-263047400 A user account was locked out.
9/11/2017 5:05 9/11/2017 5:05 1 25 43-263047400 A user account was locked out.
9/11/2017 4:24 9/11/2017 4:24 1 25 43-263047400 A user account was locked out.
9/11/2017 3:31 9/11/2017 3:31 1 25 43-263047400 A user account was locked out.
9/11/2017 2:44 9/11/2017 2:44 1 25 43-263047400 A user account was locked out.
9/11/2017 2:03 9/11/2017 2:03 1 25 43-263047400 A user account was locked out.
9/11/2017 1:10 9/11/2017 1:10 1 25 43-263047400 A user account was locked out.
9/11/2017 0:23 9/11/2017 0:23 1 25 43-263047400 A user account was locked out.



Search

Need help with Server 2012 R2 domain controller registry warnings, Source CertificateServicesClient-AutoEnrollment, Event ID 64

January 5, 2019, 8:40 pm
$
0
0

(I asked the following question in the Server forum, someone suggested asking in this forum instead...)

I need help with a lot of registry warnings on my Server 2012 R2 domain controller, 3 per day, all the same, sample below. Can anyone help me resolve this issue?

Registry entry sample:

Log: Application
Source: CertificateServicesClient-AutoEnrollment
Event ID: 64
Description: Certificate for local system with Thumbprint _____ is about to expire or already expired. (Thumbprint removed for security purposes.)
Provider:
   [ Name]  Microsoft-Windows-CertificateServicesClient-AutoEnrollment 
   [ Guid]  {F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43} 
   [ EventSourceName]  AutoEnrollment 

I started scanning my cert store for likely certs w/o success, then resorted to a full powershell dump to a text file and still couldn't find a cert with a matching thumbprint. My powershell script is:

cd CERT:\\
ls . -Recurse

I got nearly 1300 lines of output (i.e. zillions of certs), but the thumbprint in the registry warning is not listed.

SCEP Update failed with hr: 0x80072f8f 0x80070002 if outside LAN

September 25, 2018, 4:13 am
$
0
0

I have SCEP configured:

which works perfectly fine. Updates are downloaded by scheduled task to share daily, clients update from this share on schedule

Polices apply fine & show correctly in 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Microsoft Antimalware\Signature Updates

FallbackOrder = FileShares|MicrosoftUpdateServer|InternalDefinitionUpdateServer

But if the user takes laptop home the updates do not happen. Of course they would not happen from the share (as it is not accessible), but SHOULD happen directly from MS site

I can even try to force manual update from GUI, it always error out the same.

MpCmdRun: Command Line: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1807.18075-0\MpCmdRun.exe" SignaturesUpdateService -UnmanagedUpdate
 Start Time: ?Sun ?Aug ?19 ?2018 14:36:21

MpEnsureProcessMitigationPolicy: hr = 0x0
Start: Signatures Update Service
Update Started
Search Started (MU/WU update) (Path: https://fe2.update.microsoft.com/v6/)...
Search Completed 
Update failed with hr: 0x80072f8f
Update completed with hr: 0x80072f8f
End: Signatures Update Service
MpCmdRun: End Time: ?Sun ?Aug ?19 ?2018 14:36:23


But I can download the full signatures mpam-fe.exe and run it (as the very user) and it updates fine

Something is just odd, any ideas anybody?

Seb




Multiple authentication errors in Security from single source

January 6, 2019, 9:42 pm
$
0
0

Hi,

There are more number of failure alerts in security log in multiple windows (2003 and 2000) servers from same source. Below are the error log details.

Event ID: 680

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Error Code:0xC0000064

Logon account: Domain Controller local account (i.e, Computername$)

Source Workstation: Domain Controller

Is there any way to track this, why this DC trying to authenticate with these computers and what it is trying?

There are more number of alerts we are getting like this.

vicky

A question about "Certificate Enrollment Web Services" e.g. CEP/CES

December 19, 2018, 3:32 am
$
0
0

Hello,

I read the following article

https://blogs.technet.microsoft.com/askds/2010/02/01/certificate-enrollment-web-services/

When it comes to non domain joined computers obtaining certificates from an domain joined CA (Enterprise CA). over TLS (aka SSL)

I understand the concepts of what the article says, however there is a line that reads

Step 4. CES web service impersonates the client security context to request a certificate via DCOM, and then hands the certificate back to the client.

In order to 'impersonate a client' you need a 'security context' e.g. the security context of the client (for example creating a token base do their TGT, aka delegation).  However the client in this case in 'not domain joined'  therefore the client will not be passing a Kerberos ticket or any SID information from Active Directory to the CES/CEP Server from which it can create a token to impersonate the client. Therefore I assume the security context for this impersonation will be based on anonymous (and possible the Everyone group, if the local security policy on the server is configured to add this everyone SID to any anonymous access request)

If that is the case (e.g. using anonymous and possible everyone) that would mean you would need to add an ACE (access control entry) for anonymous/everyone to the certificate template/s to allow a client to request a certificate based on that template.

Also does CEP/CES offer a REST API ?

Can someone please clear this up for me ?

Thank you 

CXMelga

Certsrv site not showing any template and not able to request cert

June 22, 2018, 12:38 am
$
0
0

Hi All, 

I am facing issue with Cert Srv site- when i login with domain/Enterprise/builtin administrator user in certsrv site and request for advanced certificate i do see any template - earlier there was an template which i deleted not i do not see the any default template ie. webserver.

Under application event log - see the warning message - Element not found. 

The "Windows default" Policy Module logged the following warning: The XMS_Template Certificate Template could not be loaded.  Element not found. 0x80070490 (WIN32: 1168 ERROR_NOT_FOUND).

Other one --The "Windows default" Policy Module logged the following warning: The Active Directory connection to DC01.xmlab.net has been reestablished to DC01.xmlab.net.

i checked all the permissions all are good 

i checked IIS site and pool all are good 

check the site and services for PKi permissions all are good .

DC01.xmlab.net. is an Enterprise root CA. 

I face 2 more issue on same DC

1 When i try to generate/request the any CA from MMC it crash.

2. I am not able to generate CA request from IIS i am getting error.

We have CA like below.

XMLAB-DC01-CA -- Enterprise CA - All 5 fsmo running on DC1

XMLAB-DC02-CA -- Enterprise subordinate CA - another GC in Server - No this server i am able to request cert using MMC

Sub1-Sub1-DC03-CA -- Enterprise subordinate CA  - childe domain 

Please help - let me know if you need any details 

Thanks -Suman

 

Viewing all 12072 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>